Methods and systems for transmitting and receiving data through tunnel groups

ABSTRACT

Methods and systems for transmitting and receiving data between a first node and a second node through a first tunnel group and a second tunnel group respectively. The first node transmits data to the second node mainly through a first tunnel group and receives data from the second node mainly through a second tunnel group. In some embodiments, the first node receives first IP packets from one of its LAN interfaces and then transmits encapsulated first IP packets and then are transmitted mainly through a first one or more WAN interfaces to the second node. The first node receives encapsulated second IP packets mainly from the second node through a second one or more of its WAN interfaces. Second IP packets are then decapsulated and transmitted through one of the LAN interfaces of the first node.

RELATED APPLICATIONS

The present application is a Continuation application which claims thebenefits of and is based on U.S. application Ser. No. 14/396,747 filedon Oct. 24, 2014, which is a National Stage Application and furtherclaims the benefits of and is based on International Application No.PCT/M2014/059378 filed on Mar. 3, 2014, the disclosures of which arehereby incorporated by specific reference thereto.

TECHNICAL FIELD

The present invention relates in general to the field of computernetworks. More particularly, the present invention relates to a methodcarried out by a first node for transmitting data to a second nodemainly through a first tunnel group and receiving data from the secondnode mainly through a second tunnel group.

BACKGROUND ART

Internet service providers can provide satellite Internet service tousers through geostationary satellites which may offer high datathroughput. In addition to the high throughput, the coverage area ofsatellite networks is also very big compared to other wireless networksthat may be available in recent times. Satellite networks often providecoverage in many rural areas where other wireless networks may not beavailable. However, satellite communications have higher latenciescompared to other wireless communications due the data having to travellong distances to the geostationary satellite. Although satellitecommunications provide very high performance for downlink data,performance of communications through satellite may not be satisfactoryfor uplink data, especially if uplink is done from many devices at once,i.e. from customers of the Internet service providers.

The paper titled “Networking using Direct Broadcast Satellite” (VenkataPadmanabhan, Hari Balakrishnan, Keith Sklower, Elan Amir, and Randy H.Katz. Networking using Direct Broadcast Satellite. In Proc. of the 1stinternational Workshop on Satellite-based Services, Rye, N.Y., November1996. University of California at Berkeley) presents a networkingarchitecture where a geostationary satellite broadcasts directly to userpremises, while outgoing traffic from the user premises to the Internetare sent over an SLIP/PPP line. This paper explains in detail anasymmetric routing technology. There are two options for sending packetsfrom the users to the Internet. In the first option, packets areencapsulated and sent over the SLIP line using DBS source address. Inthe second option, home agent-based routing is used.

Users may enjoy high downlink bandwidth when accessing the Internetthrough a satellite network. However, for transmitting packets to a hostor node accessible through the internet, using wireless networks otherthan a satellite network may provide lower latency and may be costeffective. For a data session using a connection-oriented protocol,techniques are required for automatically enabling a user to use asatellite network for downlink and another wireless or wired network foruplink, while taking into account the asymmetric bandwidth andasymmetric latency.

DISCLOSURE OF INVENTION Summary

The embodiments of the present invention describe, in general, a firstnode and a second node communicating with each other through one or moretunnels.

According to one of the embodiments of the present invention, the firstnode transmits data to the second node mainly through a first tunnelgroup, and receives data from the second node mainly through a secondtunnel group. There is at least one tunnel in the first tunnel group andat least one tunnel in the second tunnel group. The at least one tunnelin the first tunnel group and the at least one tunnel in the secondtunnel group are formed using at least two network interfaces of thefirst node.

In a preferred embodiment, the at least one tunnel in the first tunnelgroup is established through at least one network which, in general, hasa network latency less than 150 milliseconds. The at least one tunnel inthe second tunnel group is established through at least one satelliteconnection.

According to one of the embodiments, when network performance of thefirst tunnel group is below a first threshold, the first node transmitsdata through the second tunnel group. When network performance of thesecond tunnel group is below a second threshold, the first node receivesdata through the first tunnel group.

According to one of the embodiments of the present invention, thetunnels in the first tunnel group and the tunnels in the second tunnelgroup are aggregated together to form one aggregated tunnel.

According to one of the embodiments of the present invention, the firstnode transmits or receives one or more tunnel management message istransmitted to or received from the second node. The tunnel managementmessage may be sent from one node to another node for informing theanother node which tunnels should be used for transmitting data andwhich tunnels should be use for receiving data.

According to one of the embodiments of the present invention, when thefirst node receives first IP packets from a host through at least one ofits Local Area Network (LAN) interface, the first node encapsulates thefirst IP packets in first encapsulating IP packets. The first node thentransmits the first encapsulating IP packets mainly through a first oneor more Wide Area Network (WAN) interfaces to a second node. The firstnode receives second encapsulating IP packets mainly through a secondone or more WAN interfaces from the second node, and then decapsulatesthe second encapsulating IP packets to retrieve second IP packets. Thesecond IP packets are transmitted through at least one corresponding LANinterface. The first one or more WAN interfaces are connected to awireless network and the second one or more WAN interfaces are connectedto a satellite connection. The first node further sends the second nodeinformation of the first one or more WAN interfaces and the second oneor more WAN interfaces.

The details of one or more embodiments of the invention are set forth inthe accompanying drawings and the description below. Other features,objects, and advantages of the invention will be apparent from thedescription and drawings, and from the claims.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 illustrates a network configuration according to variousembodiments of the present invention.

FIG. 2 illustrates tunnels established between a first node and a secondnode according to various embodiments of the present invention.

FIG. 3 is an illustrative block diagram of a computer system or networknode according to one of the embodiments of the present invention.

FIG. 4 is an illustrative block diagram of a computer system or networknode according to one of the embodiments of the present invention.

FIG. 5 is an illustrative block diagram of a computer system or networknode according to one of the embodiments of the present invention.

FIG. 6A is a flowchart illustrating a process for a first node totransmit and receive data to and from a second node according to one ofthe embodiments of the present invention.

FIG. 6B is a flowchart illustrating a process for a first node totransmit and receive data to and from a second node according to one ofthe embodiments of the present invention.

FIG. 6C is a flowchart illustrating a process for a first node totransmit and receive data to and from a second node according to one ofthe embodiments of the present invention.

FIG. 7 illustrates a network configuration according to variousembodiments of the present invention.

FIG. 8 illustrates the communication steps of a node communicating witha host according to one of the embodiments of the present invention.

FIG. 9 illustrates the structure of IP packet being transmitted at eachcommunication step according to one of the embodiments of the presentinvention.

FIG. 10 illustrates a webpage used to configure a first node accordingto one of the embodiments of the present invention.

FIG. 11 illustrates a webpage used to configure a first node accordingto one of the embodiments of the present invention.

DETAILED DESCRIPTION

The ensuing description provides preferred exemplary embodiment(s) only,and is not intended to limit the scope, applicability or configurationof the invention. Rather, the ensuing description of the preferredexemplary embodiment(s) will provide those skilled in the art with anenabling description for implementing a preferred exemplary embodimentof the invention. It being understood that various changes may be madein the function and arrangement of elements without departing from thespirit and scope of the invention as set forth in the appended claims.

Specific details are given in the following description to provide athorough understanding of the embodiments. However, it will beunderstood by one of ordinary skill in the art that the embodiments maybe practiced without these specific details. For example, circuits maybe shown in block diagrams in order not to obscure the embodiments inunnecessary detail. In other instances, well-known circuits, processes,algorithms, structures, and techniques may be shown without unnecessarydetail in order to avoid obscuring the embodiments.

Also, it is noted that the embodiments may be described as a processwhich is depicted as a flowchart, a flow diagram, a data flow diagram, astructure diagram, or a block diagram. Although a flowchart may describethe operations as a sequential process, many of the operations can beperformed in parallel or concurrently. In addition, the order of theoperations may be re-arranged. A process is terminated when itsoperations are completed, but could have additional steps not includedin the figure. A process may correspond to a method, a function, aprocedure, a subroutine, a subprogram, etc. When a process correspondsto a function, its termination corresponds to a return of the functionto the calling function or the main function.

Embodiments, or portions thereof, may be embodied in programinstructions operable upon a processing unit for performing functionsand operations as described herein. The program instructions making upthe various embodiments may be stored in a computer readable storagemedium.

Moreover, as disclosed herein, the term “computer readable storagemedium”, “main memory”, or “secondary storage” may represent one or moredevices for storing data, including read only memory (ROM), programmableread-only memory (PROM), erasable programmable read-only memory (EPROM),random access memory (RAM), magnetic RAM, core memory, floppy disk,flexible disk, hard disk, magnetic tape, CD-ROM, flash memory devices, amemory card and/or other machine readable mediums for storinginformation. The term “computer readable storage media” may alsoinclude, but is not limited to portable or fixed storage devices,optical storage mediums, magnetic mediums, memory chips or cartridges,wireless channels and various other mediums capable of storing,containing or carrying instruction(s) and/or data. A computer readablestorage medium can be realized by virtualization, and can be a virtualcomputer readable storage medium including a virtual computer readablestorage medium in a cloud-based instance.

The term “computer readable storage media”, “main memory”, or “secondarystorage”, as used herein refers to any medium that participates inproviding instructions to a processing unit for execution. The mainmemory or secondary storage is just one example of a machine-readablemedium, which may carry instructions for implementing any of the methodsand/or techniques described herein. Such a medium may take many forms,including but not limited to, non-volatile media, volatile media, andtransmission media. Non-volatile media includes, for example, optical ormagnetic disks. Volatile media includes dynamic memory. Transmissionmedia includes coaxial cables, copper wire and fiber optics.Transmission media can also take the form of acoustic or light waves,such as those generated during radio-wave and infra-red datacommunications.

A volatile storage may be used for storing temporary variables or otherintermediate information during execution of instructions by theprocessing unit. A non-volatile storage or static storage may be usedfor storing static information and instructions for the processing unit,as well as various system configuration parameters.

The computer readable storage medium may include a number of softwaremodules that may be implemented as software code to be executed by theprocessing unit using any suitable computer instruction type. Thesoftware code may be stored as a series of instructions or commands, oras a program in the computer readable storage medium.

Various forms of computer readable storage media may be involved incarrying one or more sequences of one or more instructions to theprocessing unit for execution. For example, the instructions mayinitially be carried on a magnetic disk from a remote computer.Alternatively, a remote computer can load the instructions into itsdynamic memory and send the instructions to the system that runs the oneor more sequences of one or more instructions.

A processing unit may be a microprocessor, a microcontroller, a digitalsignal processor (DSP), any combination of those devices, or any othercircuitry configured to process information.

A processing unit executes program instructions or code segments forimplementing embodiments of the present invention. Furthermore,embodiments may be implemented by hardware, software, firmware,middleware, microcode, hardware description languages, or anycombination thereof. When implemented in software, firmware, middlewareor microcode, the program instructions to perform the necessary tasksmay be stored in a computer readable storage medium. A processingunit(s) can be realized by virtualization, and can be a virtualprocessing unit(s) including a virtual processing unit in a cloud-basedinstance.

Embodiments of the present invention are related to the use of acomputer system for implementing the techniques described herein. In anembodiment, the inventive processing units may reside on a machine suchas a computer platform. According to one embodiment of the invention,the techniques described herein are performed by computer system inresponse to the processing unit executing one or more sequences of oneor more instructions contained in the volatile memory. Such instructionsmay be read into the volatile memory from another computer readablestorage medium. Execution of the sequences of instructions contained inthe volatile memory causes the processing unit to perform the processsteps described herein. In alternative embodiments, hard-wired circuitrymay be used in place of or in combination with software instructions toimplement the invention. Thus, embodiments of the invention are notlimited to any specific combination of hardware circuitry and software.

A code segment may represent a procedure, a function, a subprogram, aprogram, a routine, a subroutine, a module, a software package, a class,or any combination of instructions, data structures, or programstatements. A code segment may be coupled to another code segment or ahardware circuit by passing and/or receiving information, data,arguments, parameters, or memory contents. Information, arguments,parameters, data, etc. may be passed, forwarded, or transmitted via anysuitable means including memory sharing, message passing, token passing,network transmission, etc.

A network interface that may be provided by a node is an Ethernetinterface, a frame relay interface, a fibre optic interface, a cableinterface, a DSL interface, a token ring interface, a serial businterface, an universal serial bus (USB) interface, Firewire interface,Peripheral Component Interconnect (PCI) interface, etc.

A network interface may be implemented by an standalone electroniccomponent or may be integrated with other electronic components. Anetwork interface may have no network connection or at least one networkconnection depending on the configuration. A network interface may be anEthernet interface, a frame relay interface, a fibre optic interface, acable interface, a Digital Subscriber Line (DSL) interface, a token ringinterface, a serial bus interface, an universal serial bus (USB)interface, Firewire interface, Peripheral Component Interconnect (PCI)interface, etc.

A presently preferred embodiment of the present invention may utilize agateway. A gateway is a device which performs protocol conversionbetween different types of networks or applications. The term gateway isnot meant to be limited to a single type of device, as any device,hardware or software, that may act as a bridge between the user and thenetworks may be considered a gateway for purposes of this application.The gateway may couple with a plurality of multiple networks. A router,an access point or a wireless access point may all be considered agateway for purposes of this invention.

Embodiments, or portions thereof, may be embodied in a computer datasignal, which may be in any suitable form for communication over atransmission medium such that it is readable for execution by afunctional device (e.g., processing unit) for performing the operationsdescribed herein. The computer data signal may include any binarydigital electronic signal that can propagate over a transmission mediumsuch as electronic network channels, optical fibers, air,electromagnetic media, radio frequency (RF) links, and the like, andthus the data signal may be in the form of an electrical signal, opticalsignal, radio frequency or other wireless communication signal, etc. Thecode segments may, in certain embodiments, be downloaded via computernetworks such as the Internet, an intranet, LAN, MAN, WAN, the PSTN, asatellite communication system, a cable transmission system, and/or thelike.

System:

FIG. 3 is an illustrative block diagram of a computer system or networknode, such as node 101, according to one of the embodiments of thepresent invention. Node 101 comprises processing unit 301, main memory302, system bus 303, secondary storage 304, local area network (LAN)interfaces 122 a and 122 b, and wide area network (WAN) interfaces 121a, 121 b, and 121 c. Secondary storage 304 and main memory 302 arecomputer readable storage media. Processing unit 301 and main memory 302are connected to each other directly. System bus 303 connects processingunit 301 directly or indirectly to secondary storage 304, LAN interfaces122 a and 122 b, and WAN interfaces 121 a, 121 b, 121 c, and 121 d.Using system bus 303 allows node 101 to have increased modularity.System bus 303 couples processing unit 301 to secondary storage 304, andLAN interfaces 122 a and 122 b, and WAN interfaces 121 a, 121 b, 121 c,and 121 d. System bus 303 can be any of several types of bus structuresincluding a memory bus, a peripheral bus, and a local bus using any of avariety of bus architectures. Secondary storage 304 stores programinstructions for execution by processing unit 301. The scope of theinvention is not limited to node 101 having five network interfaces,such that node 101 may have more network interfaces. LAN interfaces 122a and 122 b, and WAN interfaces 121 a, 121 b, 121 c, and 121 d arespecified for illustration purposes only.

FIG. 4 is illustrative block diagram of a computer system or networknode, such as node 102, according to one of the embodiments of thepresent invention. Node 102 comprises processing unit 401, main memory402, system bus 403, secondary storage 404, LAN interface 132, WANinterfaces 131 a, 131 b, and 131 c. The components of node 102 areconnected to each other in a similar way as the components of node 101.

FIG. 5 is illustrative block diagram of a computer system or networknode, such as node 702, according to one of the embodiments of thepresent invention. Node 702 comprises processing unit 501, main memory502, system bus 503, secondary storage 504, and WAN interface 703. Thecomponents of node 702 are connected to each other in a similar way asthe components of node 101. Alternatively, node 702 may also berepresented by the block diagram in FIG. 3 or FIG. 4, such that node 702may have one or more WAN interfaces, and one or more LAN interfaces.

FIG. 1 illustrates a network configuration according to variousembodiments of the present invention. Node 101 is connected to node 102through four tunnels: tunnels 201 a, 201 b, 201 c and 201 d illustratedin FIG. 2. LAN interface 122 a connects node 101 to host 103 a throughinterconnected networks 117 using connections 115 a and 115 c. LANinterface 122 b connects node 101 to host 103 b using connection 115 b.

For illustration purpose, node 101 connects to a satellite networkthrough WAN interface 121 a for establishing tunnel 201 a with node 102.WAN interface 121 a communicates with satellite network 150 by usingsatellite modem 161; node 102 connects to satellite network 150 throughWAN interface 131 a and satellite modem 160 for establishing tunnel 201a with node 101.

The connection between WAN interface 121 a and satellite network 150 andthe connection between WAN interface 131 a and satellite network 150 areusing satellite modems 160 and 161 respectively. Satellite modems 160and 161 may have embedded antenna or external antenna used forcommunicating with satellite network 150 through connections 112 a and110 a respectively. WAN interfaces 131 a and 121 a connect to satellitemodems 160 and 161 respectively through wired or wireless connectionmedium 114 and 113 respectively. Preferably connection medium 114 and113 are fast-speed wired connection medium, such as a computer bus,Universal Serial Bus (USB), serial bus, parallel bus, fiber optics,FireWire, Thunderbolt, and etc. Satellite modem 160 can also be includedwithin a housing that contains node 102, and satellite modem 161 can beincluded within a housing that contains node 101. Alternatively, node102 can include an auxiliary port into which satellite modem 160 isplugged. Satellite modems 160 and 161 are configured to transmit andreceive communications to and from satellite network 150. Satellitemodems 160 and 161 may be selected from any number of availablesatellite modems, including but not limited to: Quake Global; Comtech EFData; Datum Systems; Hughes Network Systems; Newtec; Paradise Datacom;Radyne ComStream; Shiron Satellite Communications; AdvantechAMT(formerly Signal Processors, SPL/ACT, ACT Wireless); and TSI Technology.

Also for illustration purpose, node 101 establishes tunnel 201 b withnode 102 through WAN interface 121 b, wireless network 180 and WANinterface 131 b. WAN interface 121 b communicates with wireless network180 through a wireless communication channel 110 b. Similarly WANinterface 131 b communicates with wireless network 180 through wirelesscommunication channel 112 b. Communication through wirelesscommunication channel 110 b and 112 b can be realized through a wirelessmodem or a cellular modem. The size of wireless network 180 is notlimited. For example, wireless network 180 may be a cellular networkoperated by Verizon, ATT, China Mobile, or Vodafone. A cellular networkcan also be a mobile virtual network operator (MVNO) or mobile otherlicensed operator (MOLO) that provides a wireless communicationsservices but does not own the wireless or cellular networkinfrastructure over which the MVNO provides services to its customers.

Also for illustration purpose, node 101 establishes tunnel 201 c withnode 102 through WAN interface 121 c, wireless network 181,interconnected network 171 and WAN interface 131 c. WAN interface 121 ccommunicates with wireless network 181 through wireless communicationchannel 110 c. Wireless network 181 communicates with WAN interface 131c through interconnected networks 171. The size of wireless network 181is also not limited. For example, wireless network 181 may be a cellularnetwork operated by Verizon, AT&T, China Mobile, or Vodafone. Wirelessnetwork 181 and interconnected networks 171 communicate with each otherthrough connection 111 a. Node 102 communicates with interconnectednetworks 171 through connection 112 c.

Also for illustration purpose, node 101 establishes tunnel 201 d withnode 102 through WAN interface 121 d, interconnected networks 171 andWAN interface 131 c. WAN interface 121 d communicates withinterconnected networks 171 through connection 111 b. Node 102 uses WANinterface 131 c to communicate with interconnected networks 171 throughconnection 112 c.

Wireless networks 180 and 181 are preferably configured for wirelessdigital transfer using a suitable digital data transfer protocol such asHigh Speed Downlink Packet Access (HSDPA) and High-Speed.

Uplink Packet Access (HSUPA), Code Division Multiple Access (CDMA),Evolution-Data Optimized (EVDO), Enhanced Data Rates for GSM Evolution(EDGE), General Packet Radio Service (GPRS) Third Generation PartnershipProgram Long Term Evolution (3GPP LTE) or any other digital datatransfer protocol for wireless data transfer over radio, microwave orfrequency bands used in wireless networks. In one variant, wirelessnetworks 180 and 181 are configured for wireless digital transfer usingWorldwide Interoperability for Microwave Access (WiMAX), LocalMultipoint Distribution Service (LMDS), Multichannel MultipointDistribution Service (MMDS), IEEE 802.11 technologies, such as IEEE802.11a, IEEE 802.11b, IEEE 802.11g, IEEE 802.11n, IEEE 802.11ac, and/orIEEE 802.11ad.

WAN interfaces 121 b, 121 c and 131 b can be realized by using aconnection through cellular phones, cellular modems, and/or wirelesscommunication modems. A cellular modem, such as a 3GPP LTE modem, iscapable of communicating with one or more cellular networks. A cellularmodem can be an embedded cellular modem or an external cellular modem.

Connections 110 a, 112 a, 112 c, 111 a, 111 b, 115 a, 115 b, and 116 canbe realized by using any type of wired or wireless connection medium.For example, wired connection mediums may include Ethernet, fiberchannel, digital subscriber loop, cable modem, frame relay, token ring,serial bus, USB, Firewire, PCI, etc. Wireless connection mediums mayinclude a wireless link such as Wi-Fi™, a wireless connection using awireless communication protocol such as IEEE 802.11 (wireless Ethernet),Bluetooth, etc.

Interconnected networks 117, 171, and 172 can be public interconnectednetwork, such as the Internet, private interconnected network or hybridpublic and private interconnected networks. For example, bothinterconnected networks 117 and 172 can be local area networks (LAN)connected together through tunnels 201 a, 201 b, 201 c and 201 d. Inanother example, interconnected networks 117 is a LAN and interconnectednetworks 172 is the Internet, such that node 102 performs as a gatewayfor interconnected networks 117 to communicate with the Internet throughat least of the tunnel of tunnels 201 a, 201 b, 201 c and 201 d.

A tunnel, such as tunnels 201 a, 201 b, 201 c and 201 d, is establishedbetween two networks. Through a tunnel, hosts from two differentnetworks can communicate as in the same network, such as in the same IPsubnet. The tunnels, for example, can be implemented using SecureSockets Layer (SSL), L2TP, Internet Protocol Security (IPSec) and SSL,IPSec and Layer 2 Tunneling Protocol (L2TP) or Point-to-Point TunnelingProtocol (PPTP). One or more tunnels can be established between twonetwork interfaces, such as WAN interface 121 c and 131 c. Therefore,there could be more than the four tunnels, i.e. tunnels 201 a, 201 b,201 c and 201 d, to be established between node 101 and node 102. Forexample, WAN interface 121 b may also establish another tunnel with WANinterface 131 c if wireless networks 180 can communicate withinterconnected networks 171.

Data can be in stored in payload of data packets. Node 101 encapsulatesdata packets in encapsulating packets, and then transmit encapsulatingpackets to node 102 through one or more tunnels. When node 102 receivesthe encapsulating packets, node 102 decapsulates the encapsulatingpackets to retrieve the data packets. Encapsulating packets may bedistributed among the plurality of tunnels, i.e. tunnels 201 a, 201 b,201 c and 201 d.

Similarly, when node 102 needs to transmit data packets to node 101,node 102 first encapsulates data packets in encapsulating packets, andthen transmits encapsulating packets to node 101 through the one or moretunnels. When node 101 receives the encapsulating packets, node 101decapsulates the encapsulating packets to retrieve the data packets.

Those who are skilled in the arts would appreciate that a tunnel enablesthe encapsulation of data from one type of protocol within the datagramof the same or different protocol. Those who are skilled in the artswould also appreciate that tunnels can be use to implement virtualprivate networks (VPN). In one variant, the tunnels between node 101 and102 are aggregated to form an aggregated tunnel or an aggregated VPNconnection. For example, tunnels 201 a, 201 b and 201 c are aggregatedto form one aggregated VPN connection. The aggregated VPN connectionallows, for example, data packets belonging to one TCP session aretransmitted and received through tunnels 201 a, 201 b and 201 c to takeadvantage of the availability of the networks connecting to WANinterfaces 121 a, 121 b and 121 c.

Those who are skilled in the arts would appreciate that there are manymethods to aggregate a plurality of tunnels to form one aggregatedtunnel or connection. One of the methods is disclosed in the U.S. patentapplication Ser. No. 12/646,774, Filed Dec. 23, 2009, entitled“THROUGHPUT OPTIMIZATION FOR BONDED VARIABLE BANDWIDTH CONNECTIONS”.

Tunnel Groups

According to one of the embodiments of the present invention, when afirst node forms at least two tunnel groups with a second node, one ofthe tunnel groups is mainly used to transmit data packets from the firstnode to the second node and another tunnel group is mainly used toreceive data packets from the second node. In each tunnel group, therecan be one or more tunnels. As there are at least two tunnel groups andeach tunnel group has at least one tunnel, there are at least twotunnels established between the first node and the second node. The atleast two tunnels are established through two of network interfaces ofthe first node and at least one network interface of the second node. Inone variant, the second node may perform as a gateway for the firstnode. In one variant, when a tunnel group is mainly used to transmitdata packets from the first node to the second node, there is no datapacket being transmitted from the second node to the first node throughthe tunnel group. In one variant, when a tunnel group is mainly used totransmit data packets from the first node to the second node, there is asmall number of packets being transmitted from the second node to thefirst node through the tunnel group as those packets are used formanaging the tunnel group, such as transmitting health check packets,establishing one of the tunnels in the tunnel group and sending statusinformation. In one variant, when a tunnel group is mainly used toreceive data packets by the first node from the second node, there is nodata packet being transmitted by the first node to the second nodethrough the tunnel group. In one variant, when a tunnel group is mainlyused to receive data packets by the first node from the second node,there is a small number of packets being transmitted from the first nodeto the second node through the tunnel group as those packets are usedfor managing the tunnel group, such as transmitting health checkpackets, establishing one of the tunnels in the tunnel group and sendingstatus information.

For illustration purpose, the first node is node 101 and the second nodeis node 102; a first tunnel group comprises tunnels 201 b and 201 c; anda second tunnel group comprises tunnels 201 a and 201 d. The firsttunnel group is used to transmit data packets from node 101 to node 102while the second tunnel group is used to transmit data packets from node102 to node 101 Therefore node 102 may perform as a gateway for node 101and the networks connected to the node 101, such as network 117, host103 a and hosts 103 b, to communicate with interconnected network 172.Furthermore, as the number of tunnels in the first tunnel group can bemore than one, node 101 may use a plurality of tunnels in the firsttunnel group to transmit data packets to node 102. When node 102receives the data packets through one or more tunnels of the firsttunnel group, node 102 reorders the packets before transmitting thepackets to interconnected network 172 if necessary. Similarly, inanother example, as the number of tunnels in the second tunnel group canbe more than one, node 102 may use a plurality of tunnels in the secondtunnel group to transmit data packets to node 101. When a host ininterconnected networks 172 sends a packet to host 103 a, node 102 sendsthe packet through one or more tunnels of the second tunnel group tonode 101. Then node 101 sends the packet to node 103 a throughinterconnected networks 117.

Similarly, as the number of tunnels in the second tunnel group can bemore than one, node 102 may use a plurality of tunnels in the secondtunnel group to transmit data packets. In one variant, the data packetsbelong to one session and node 101 reorders the packets beforetransmitting the packets to interconnected network 117 or host 103 b.Those skilled in the art would appreciate that there are myriad ways touse multiple network interfaces to transmit data packets belonging tothe same session.

According to one of the embodiments of the present invention, when atunnel is used to transmit data packets from node 101 to node 102, thesame tunnel is not used to transmit data packets from node 102 to node101. For example, when tunnel 201 b is used to transmit data packetsfrom node 101 to node 102, tunnel 201 b is not used to transmit datapackets from node 102 to node 101. In order for node 102 to transmitdata packets to 101, one or more of other tunnels, such as tunnel 201 a,tunnel 201 c or/and 201 d, have to be used. A tunnel management messageis sent by node 101 to instruct node 102 not to use tunnel 201 b fortransmitting data packets to node 101. In one variant, node 102 canoverrule the instruction sent by node 101. The ability of overruling theinstruction allows administrators of node 101 and 102 to have moreflexibility to adapt to changing network environment. In one variant,node 102 can still transmit a portion of data packets to node 101through tunnel 201 b and the portion can be preconfigured by theadministrator of node 102, administrator of node 102 and/or negotiatedbetween node 101 and node 102.

In one variant, when a tunnel is used to transmit data packets from node101 to node 102, the corresponding WAN interface establishing the tunnelat node 101 is not used to receive data packets from node 102. Forexample, when tunnel 201 b is used to transmit data packets from node101 to node 102, WAN interface 121 b is not used to receive data packetsfrom node 102. In one variant, when a tunnel is used to receive datapackets from node 102 to node 101, the corresponding WAN interfaceestablishing the tunnel at node 101 is not used to transmit data packetsto node 102. For example, when tunnel 201 a is used to receive datapackets from node 102 to node 101, WAN interface 121 a is not used totransmit data packets to node 101. There could be many reason why tohave a WAN interface for transmitting or receiving data packets only,including the WAN interface is half-duplex, the network performance ofthe connection connected to the WAN interface is asymmetric, the cost oftransmitting or receiving data packets through the connection connectedto the WAN interface is asymmetric, and etc.

Tunnel Management Messages

According to one of the embodiments of the present invention, node 101transmits tunnel management messages to node 102 for managing one ormore tunnels. The usage of tunnel management message includes: informingnode 102 that which group a tunnel belongs to, informing node 102 how touse a tunnel, informing node 102 when to transmit data packets through aparticular tunnel or tunnel group. In one variant, node 101 receivestunnel management messages from node 102 for managing one or moretunnels. Therefore, the usage of tunnel management message alsoincludes: informing node 101 that which group a tunnel belongs to,informing node 101 how to use a tunnel, informing node 101 when totransmit data packets through a particular tunnel or tunnel group.

A tunnel management message comprises a tunnel identity field and aninstruction field. For example, for illustration purpose only, a firsttunnel and a third tunnel belong to the first tunnel group while asecond tunnel belongs the second tunnel group. In such case, the tunnelidentity field comprises the identities of the first tunnel, the secondtunnel, and the third tunnel and the instruction field comprisesinformation that the first tunnel and the third tunnel belong to thefirst tunnel group while a second tunnel belongs the second tunnelgroup. Therefore, after receiving the tunnel management message, node102 can expect data packets to arrive through the first and the thirdtunnels and does not use the first and the third tunnels to transmitdata packets to node 101 while only transmits data packets to node 101through the second tunnel. Tunnel management messages may be sent whentunnels are about to be established, are being established or aftertunnels have been established. In another example, a tunnel managementmessage comprises information that assists node 102 to identify thetunnels and the corresponding tunnel groups in the instruction field andthe identities of the corresponding tunnels in the tunnel identityfield. There is no limitation that the tunnel message can only be sentby node 101, such that node 102 can also send the tunnel message. Forexample, a tunnel message may comprise information that tunnels 201 aand 201 b belong to a first tunnel group and tunnels 201 c and 201 dbelongs to a second tunnel group. In one variant, the tunnel managementmessages also comprises an indicator to indicate whether a tunnel groupis for both transmission and receiving, transmission only or receivingonly. For example, an indicator indicates that a first tunnel group isfor transmission only and a second tunnel group is for both transmissionand receiving.

An indicator can be represented by a bit, a plurality of bits, a byte, aplurality of bytes, a string, a plurality of strings, XML messages, etc.Those who are skilled in the arts would appreciate that there aremyriads ways to represent the indicator.

In one variant, one or more tunnels of the first tunnel group and one ormore tunnels of the second tunnel group are aggregated to form oneaggregated tunnel. When node 101 transmits data packets through theaggregated tunnel to node 102, node 101 uses the first tunnel group totransmit data packets. As tunnels 201 a and 201 b belong to the firsttunnel group, node 101 transmits data packets through tunnels 201 a and201 b to node 102. When node 102 transmits data packets through theaggregated tunnel to node 101, node 102 uses the second tunnel group totransmit data packets as instructed by the tunnel management messages.As tunnels 201 c and 201 d belong to the second tunnel group, node 102transmits data packets through tunnels 201 c and 201 d to node 101. Thetunnel management message can also be used to manage the aggregatedtunnel. For example, when a tunnel is added to the first tunnel group,node 101 sends a tunnel management message to node 102 that there is onemore tunnel in the aggregated tunnel.

According to one of the embodiments of the present invention, a tunnelmanagement message comprises an indicator in the instruction field toindicate whether a tunnel is for both transmission and receiving,transmission only or receiving only. For example, for illustrationpurpose, tunnel 201 a is used for node 101 to receive data packets fromnode 102 only; tunnels 201 b, 201 c and 201 d are used for node 101 totransmit data packets to node 102 only. Therefore the indicatorindicates that tunnel 201 a is for receiving data packets only andtunnels 201 b, 201 c and 201 d are used for transmitting data packetsonly. Node 102 then transmits data packets to node 101 through tunnel201 a and receives data from node 102 through tunnels 201 a, 201 b and201 c according to the information in the tunnel management message.

In one variant, a tunnel management message comprise status informationof a tunnel. The status information can be part of information that isstored in the instruction field. In one variant, a tunnel managementmessage also comprises a status field. The status field is used to holdinformation of status of the tunnel. For example, when node 101 updatesnode 102 about the status of a tunnel, node 101 sends a tunnelmanagement message with the tunnel status in the status field to node102. The tunnel identity field holds the identity of the correspondingtunnel. The instruction field in this case may be empty as the tunnelmanagement message is for status reporting purpose.

In one variant, a tunnel can be used by node 101 to transmit and receivedata packets to and from node 102. Therefore the indicator in the tunnelmanagement messages shows that the tunnel can be used for bothtransmission and receiving. In one variant, for illustration purpose, atunnel is preferably used by node 101 to transmit data packets to node102 and is not preferably used by node 101 to receive data packets fromnode 102 even though the tunnel is capable for transmission andreceiving. Therefore the indicator in the tunnel management messagesshows the corresponding preference. Similarly, for illustration purpose,another tunnel is preferably used by node 102 to transmit data packetsto node 101 and is not preferably used by node 102 to receive datapackets from node 101 even though the tunnel is capable for transmissionand receiving. Therefore the indicator in the tunnel management messagesshows the corresponding preference of the another tunnel.

Network Performance

In one variant, the first tunnel group comprises one or more tunnelsconnecting to one or more networks and each network should have latencyless than 150 milliseconds. When network latency is limited to less than150 milliseconds, the network is considered as a fast network. Moreimportantly, 150 milliseconds network latency is lower than the usualnetwork latency of satellite communications. When network latency of thefirst tunnel group is more than 150 milliseconds, the advantage for node101 to use the first tunnel group to transmit data packets to node 102becomes not obvious as the network latency of the first tunnel group isnot significantly better than the network latency of the second tunnelgroup if the second tunnel group is connected to one or more satelliteconnections. In such case, a tunnel management message is sent by eitheror both of node 101 and node 102 to other node that a tunnel group thatwas originally being used for receiving only, can then be used for bothreceiving and transmission, or a tunnel group that was originally beingused for transmission only, can then be used for both receiving andtransmission. The value of latency can be determined based on theaverage, maximum, minimum or other statistical calculations of latencyobserved for each tunnel in the tunnel group.

In one variant, when the first tunnel group has more than one tunnel,node 101 uses only one tunnel of the first tunnel group at a time totransmit data to node 102. The tunnel is selected from tunnels of thefirst tunnel group according to predefined criteria, such as networklatency, packet drop rate, bandwidth, price, signal strength and etc.The predefine criteria is entered by the administrator of node 101through a web interface, command line, system console, and/or any otherdata input mechanism. Alternatively, the predefine criteria is sent tonode 101 through an Internet connection, an intranet connection or SMSfrom a remote server. The predefined criteria can be stored in a storagemedium of node 101, such as secondary storage 304 or main memory 302. Inone variant, the predefined criteria are first retrieved from a remotehost and then stored in a storage medium of node 101 such as secondarystorage 304 or main memory 302. In one variant, when the first tunnelgroup has more than one tunnel, node 101 uses link load-balancingtechnique to transmit data packet to node 102.

In one of the embodiments, node 101 uses the second tunnel group fortransmitting data when a first condition(s) is met. For example, whennode 101 is unable to use the first tunnel group for transmitting datato node 102 or the performance of the first tunnel group becomesunacceptable, the first condition(s) is met, and node 101 uses thesecond tunnel group for transmitting data. In one of the embodiments,node 101 uses the first tunnel group for receiving data when a secondcondition(s) is met. For example, when node 101 is unable to use thesecond tunnel group for receiving data from node 102 or the performanceof the second tunnel group becomes unacceptable, the second condition(s)are met, and node 101 uses the first tunnel group for receiving data.The use of condition(s) allows flexibility that a tunnel group can bereconfigured when status or network performance of the tunnel group oranother tunnel group changes.

The first and second conditions are based on at least one of thefollowing criteria: coverage, performance, traffic congestion, andlatency sensitivity. For example, when the first condition is based oncoverage, the first condition is met when the location of node 101 isout of the coverage of one or more networks that the first tunnel groupconnects to. When the condition is met, node 101 cannot use the firsttunnel group for transmitting data, and therefore node 101 uses thesecond tunnel group to transmit data. In another example, the secondcondition is based on coverage and is met when the location of node 101is out of the coverage of one or more networks that the second tunnelgroup connects to. When the second condition is met, node 101 cannot usethe second tunnel group for receiving data, and therefore node 101 usesthe first tunnel group to receive data.

There are many reasons for node 101 being out of coverage of a network.For example, when one or more tunnels of the first tunnel group connectsto a cellular network which does not provide coverage outside a specificcountry or region, node 101 becomes out of the coverage of the cellularnetwork when node 101 moves out of the specific country or region. Usingroaming services may not be cost effective in some scenarios, and hencenode 101 starts using the second tunnel group for transmitting data. Inanother example, node 101 may lose coverage of one or more networks thatthe second tunnel group connects to, depending on its location, such aswhen it moves outdoors, or when it moves indoors. The second tunnelgroup comprises tunnel 201 a which is established through satellitenetwork 150. When satellite modem 161 moves indoors, and is not pointingtoward the sky, node 101 may not be able to receive data through tunnel201 a belonging to the second tunnel group from the satellite, then node101 uses the first tunnel group to receive data from node 102.

In another example, the first condition is based on performance and ismet when the performance experienced by data transmitted or receivedthrough the first tunnel group becomes very poor and unsatisfactory. Forexample, node 101 starts using the second tunnel group for transmittingdata when the first condition is met. In another example, the secondcondition is based on performance and is met when the performanceexperienced by data received through the second tunnel group becomesvery poor. For example, node 101 starts using the first tunnel group forreceiving data when the second condition is met.

In another example, when the first condition is based on latencysensitivity, the first condition is met when a data transfer is latencyinsensitive. When a data transfer is latency insensitive, it can usetunnels with high latency. Therefore, when the first condition is metand the data transfer is latency insensitive, node 101 can use thesecond tunnel group for transmitting data since the high latency of thesecond tunnel group is acceptable for the latency insensitive datatransfer. The second tunnel group may have high latency whiletransmitting data when tunnel 201 a is in the second tunnel groupbecause, for example, tunnel 201 a is established through satellitenetwork 150. Alternatively, when the second condition is based onlatency sensitivity, and a data transfer from node 102 to node 101 islatency sensitive, node 101 uses the first tunnel group for receivingdata from node 102. When a data transfer is latency sensitive, it ispreferable to use tunnels with low latency. For example, the data beingtransferred is generated by a real-time audio conversion application andany delay in transmitting or receiving the data will make the audioconversion difficult to be listened to. The second tunnel groupcomprising tunnel 201 a may have higher latency than the first tunnelgroup. Therefore the first tunnel group is used by node 101 to receivedata belonging to a latency sensitive data transfer from node 102.

There can be one or more first conditions and one or more secondconditions. The first condition(s) and second condition(s) may or maynot be based on the same criteria. A condition can be based on one ormore criteria.

According to one of the embodiments, when a tunnel group has more thanone tunnel, the network latency of the first tunnel group is the averagelatency, the maximum latency, the minimum latency, or the latencyvariance of the latencies of the more than one tunnels. For example,when the network latency of the first tunnel group is used to determinewhether the first tunnel group should be used for transmitting data,then the determination is based on the average latency, the maximumlatency, the minimum latency, or the latency variance of the latenciesof the more than one tunnels belonging to the first tunnel group.

In another example, when network latency of the second tunnel group isused to determine whether the second tunnel group should be used forreceiving data, then the determination is based on the average latency,the maximum latency, the minimum latency, or the latency variance of thelatencies of the more than one tunnels belonging to the second tunnelgroup. The administrator of node 101 and/or node 102 can determine whichkind of latency suits their needs.

In one of the embodiments of the present invention, processing unit 301determines whether the first tunnel group should be used fortransmitting data, based on performance criterion/criteria. Theperformance criterion/criteria is/are selected from a group comprisingpacket delay, bandwidth, throughput, packet loss, packet drop, powerconsumption, and signal noise ratio, round-trip time, interferencelevel, error rate, quality of service, queuing delay, and packet jitter.In one variant, a threshold is predefined for the selected performancecriteria, and when the threshold is not satisfied, processing unit 301determines to use the second tunnel group for transmitting data.Processing unit 301 keeps monitoring the performance of the tunnels ofthe first tunnel group in order to determine whether the threshold issatisfied or not.

In one of the embodiments, processing unit 301 determines whether thesecond tunnel group should be used for receiving data, based onperformance criterion/criteria. The performance criterion/criteriais/are selected from a group comprising network latency, response time,packet delay, bandwidth, throughput, packet loss, packet drop, powerconsumption, and signal noise ratio, round-trip time, interferencelevel, error rate, quality of service, queuing delay, and packet jitter.In one variant, a threshold is predefined for the selected performancecriteria, and when the threshold is not satisfied, processing unit 301determines to use the first tunnel group for receiving data. Processingunit 301 keeps monitoring the performance of the tunnels of the secondtunnel group in order to determine whether the threshold is satisfied ornot.

In one of the embodiments of the present invention, processing unit 301selects tunnels for the first tunnel group and the second tunnel groupbased on one or more performance criteria. The performance criteria areselected from a group comprising network latency, response time, packetdelay, bandwidth, throughput, packet loss, packet drop, powerconsumption, signal noise ratio, round-trip time, interference level,error rate, quality of service, queuing delay, usage price, location andpacket jitter. In one variant, thresholds are predefined for theselected performance criteria corresponding to the first tunnel groupand the selected performance criteria corresponding to the second tunnelgroup. For example, processing unit 301 determines whether tunnel 201 bsatisfies the threshold for the selected performance criteriacorresponding to the first tunnel group. If tunnel 201 b satisfies thethreshold for the selected performance criteria corresponding to thefirst tunnel group, tunnel 201 b belongs to the first tunnel group.Similarly, processing unit 301 determines whether tunnel 201 a satisfiesthe threshold for the selected performance criteria corresponding to thesecond tunnel group. If tunnel 201 a satisfies the threshold for theselected performance criteria corresponding to the second tunnel group,tunnel 201 a belongs to the second tunnel group. The performancecriteria for selecting tunnels for the first tunnel group and theperformance criteria for selecting tunnels for the second tunnel groupmay or may not be the same.

It is possible that a tunnel does not belong to any tunnel group if itsperformance does not meet the performance criterion/criteria of thetunnel group.

In one of the embodiments of the present invention, processing unit 301keeps monitoring performance of each of the tunnels belonging to thefirst tunnel group and the second tunnel group. For example, tunnel 201b and tunnel 201 c belong to the first tunnel group. The selectedperformance criteria corresponding to the first tunnel group are networklatency and throughput. The threshold defined for network latency is 150milliseconds, such that the network latency of a network that a tunnelconnects to must be less than 150 milliseconds. The threshold forthroughput is 20 Mbps, such that the throughput of data transmissionthrough a tunnel should in general equal to or more than 20 Mbps.Processing unit 301 periodically determines whether tunnel 201 bsatisfies the thresholds for network latency and throughput. If thenetwork latency of a network that tunnel 201 b connects to becomesignificantly more than 150 milliseconds, processing unit 301 removestunnel 201 b from the first tunnel group because tunnel 201 b does notsatisfy the threshold. Similarly, if the throughput of data transmissionthrough tunnel 201 b becomes in general less than 20 Mbps, processingunit 301 removes tunnel 201 b from the first tunnel group because tunnel201 b does not satisfy the threshold. In one variant, tunnel 201 bshould satisfy thresholds of both the performance criteria for remainingin the first tunnel group. Alternatively, tunnel 201 b should satisfythreshold of at least one of the performance criteria for remaining inthe first tunnel group. In one variant, processing unit 301 determinesto removes tunnel 201 b from the first tunnel group only after tunnel201 b has not been satisfying the thresholds of the performance criteriafor a predefined time period. For example, processing unit 301determines periodically whether tunnel 201 b should remain in the firsttunnel group. If tunnel 201 b does not satisfy the threshold of theperformance criteria during three consecutive determinations ofprocessing unit 301, then processing unit 301 removes tunnel 201 b fromthe first tunnel group. In another example, if processing unit 301determines that network latency of a network that tunnel 201 b connectsto has been more than 150 milliseconds for more than fifteen minutes,processing unit 301 removes tunnel 201 b from the first tunnel group.When tunnel 201 b is removed from the first tunnel group, processingunit 301 uses tunnel 201 c of the first tunnel group to transmit data.

Throughput of a tunnel can be determined by processing unit 301 bytransmitting data packets or testing packets through the tunnel. Thethroughput estimated can be average throughput, minimum throughputmaximum throughput. The format of the testing packets is preferably thesame as the format of data packets that are transmitted using tunnel 201b.

In another example, tunnel 201 a and 201 d belong to the second tunnelgroup. The selected performance criteria corresponding the second tunnelgroup are usage price and packet drop rate. As some carriers may chargehigher usage price after a tunnel connects to a network for a certaintime period, the usage price may increase while a tunnel is established.Processing unit 301 periodically determines whether the usage price oftunnel 201 a and 201 d is under a threshold. If the usage price of atunnel, such as tunnel 201 a, becomes above the threshold, processingunit 301 removes tunnel 201 a from the second tunnel group. When tunnel201 a is removed from the second tunnel group, node 101 uses tunnel 201d for receiving data. Processing unit 301 also monitors packet drop ratethrough tunnels 201 a and 201 d. When the packet drop rate of a tunnel,such as tunnel 201 d, becomes higher than a threshold, processing unit301 removes tunnel 201 d from the second tunnel group. In one variant,tunnel 201 a should satisfy thresholds of both the performance criteriafor being kept in the second tunnel group. Alternatively, tunnel 201 ashould satisfy threshold of at least one of the performance criteria forbeing kept in the second tunnel group.

According to one of the embodiments of the present invention, a tunnelbelongs to a tunnel group but is not being utilized. For illustrationpurpose only, tunnels 201 b, 201 b and 201 c belong to the first tunnelgroup and tunnel 201 a belongs to the second tunnel group. The firsttunnel group is used to transmit data from node 101 to node 102 and thesecond tunnel group is used to transmit data from node 102 to node 101.It is possible that not all tunnels 201 b, 201 b and 201 c are used atthe same time to transmit data from node 101 to node 102. In onevariant, only one of the tunnels 201 b, 201 b and 201 c is used totransmit data while the other two tunnels are used for backup orhot-failover purpose. In one variant, two of the tunnels 201 b, 201 band 201 c are used to transmit data while the remaining one is not used.The decision of selecting tunnel(s) for utilization and how to use thetunnels can be predefined by administrator of node 101, administrator ofnode 102 or the system operator operating both nodes 101 and 102. Thedecision of how data is being distributed among the utilized tunnels canbe defined before the tunnels are set, during the establishment of thetunnels and/or anytime after the tunnels are established. Although thisillustration only concerns the first tunnel group and tunnels of thefirst tunnel group, it also applies to the second tunnel group and thetunnels of the second tunnel group.

In one of the embodiments of the present invention, a priority isassigned to each tunnel of a tunnel group by node 101. For example,tunnels 201 b, 201 c and 201 d belong to the first tunnel group. Node101 assigns highest priority to tunnel 201 b, second-highest priority totunnel 201 c and lowest priority to tunnel 201 d. Node 101 uses any twotunnels belonging to the first tunnel group at a given time fortransmitting data. Therefore, since tunnels 201 b and 201 c have ahigher priority than tunnel 201 d, node 101 uses tunnels 201 b and 201 cfor transmitting data when possible. If a connection through tunnel 201b fails, node 101 then starts using tunnel 201 c and 201 d fortransmitting data. The connection through tunnel 201 b may fail forvarious reasons, such as traffic congestion, tunnel 201 b not havingenough capacity, no network coverage, or equipment malfunctioning.Alternatively, if performance of data transmission through tunnel 201 bdeteriorates significantly, node 101 stops using tunnel 201 b and startsusing tunnels 201 c and 201 d for transmitting data.

In another example, tunnels 201 a and 201 b belong to the second tunnelgroup. Node 101 assigns highest priority to tunnel 201 a and lowestpriority to tunnel 201 b. For example, node 101 is configured with apredefined configuration to assign highest priority to tunnel 201 a inthe second tunnel group because tunnel 201 a is established throughsatellite network 150. In another example, node 101 assigns the highestpriority to tunnel 201 a in the second tunnel group because tunnel 201 ahas the highest throughput and largest coverage area. If a connectionthrough tunnel 201 a fails, node 101 starts using tunnel 201 b forreceiving data. The connection through tunnel 201 a may fail for variousreasons. For example, when satellite modem 161 is moved indoors, then itmay not point directly at satellite network 150, and thus the connectionthrough tunnel 201 a may fail. In another example, the network latencyfor receiving data through tunnel 201 a may become very high and theconnection may fail because of high network latency.

Priority is assigned to tunnels in a tunnel group according to one ormore performance criteria or can be assigned according to a predefinedconfiguration. A predefined configuration may be entered by anadministrator or a user of node 101 through a web interface, anapplication programming interface (API), a command line interface or aconsole.

When the priority is assigned according to performance criteria, node101 determines performance of each tunnel in a tunnel group. Forexample, processing unit 301 may assign highest priority to tunnel 201 bin the first tunnel group because tunnel 201 b has the highestthroughput and the lowest packet drop rate. Alternatively, processingunit 301 may assign highest priority to tunnel 201 b in the first tunnelgroup because tunnel 201 b has the lowest usage price.

In one of the embodiments of the present invention, when performance ofa tunnel in a tunnel group deteriorates, the tunnel is not removed fromthe tunnel group, but node 101 determines not to use the tunnel. Forexample, when performance of a tunnel, such as tunnel 201 b, belongingto the first tunnel group, deteriorates and becomes unsatisfactory, node101 stops using tunnel 201 b for transmitting data until the performanceof tunnel 201 b becomes satisfactory again. Tunnel 201 b is marked asinactive and node 101 uses other tunnel(s) in the first tunnel group,such as tunnel 201 c, to transmit data. Node 101 may determine thatperformance of tunnel 201 b has deteriorated based on one or moreperformance criteria. For example, when packet drop rate of datatransmission through tunnel 201 b has increased significantly, node 101stops using tunnel 201 b for transmitting data.

In another example, when performance of a tunnel, such as tunnel 201 a,belonging to the second tunnel group, deteriorates and becomesunsatisfactory, node 101 stops using tunnel 201 a for receiving datauntil the performance of tunnel 201 a becomes satisfactory again. Tunnel201 a is marked as inactive and node 101 uses other tunnel(s) in thesecond tunnel group, such as tunnel 201 d, to receive data. Node 101 maydetermine that performance of tunnel 201 a has deteriorated based on oneor more performance criteria. For example, when latency of tunnel 201 aincreases significantly, node 101 stops using tunnel 201 a for receivingdata.

The benefits of not removing a tunnel whose performance has deterioratedfrom a tunnel group includes that node 101 may be to be able to startusing the tunnel again as soon as the performance of the tunnel becomessatisfactory. Processing unit 301 does not need to determine again as towhether the tunnel should belong to the tunnel group or not.

In one of the embodiments, a tunnel may belong to both the first tunnelgroup and the second tunnel group. For example, tunnel 201 b belongs toboth the first tunnel group and the second tunnel group. Tunnel 201 b isthen used by node 101 for transmitting and receiving data to and fromnode 102 respectively. The first tunnel group comprises tunnels 201 band 201 c, and the second tunnel group comprises tunnels 201 a and 201b. Node 101 uses tunnels 201 b and 201 c for transmitting data, andtunnels 201 a and 201 b for receiving data. In other words, node 101uses tunnel 201 c only for transmitting data, tunnel 201 a only forreceiving data, and tunnel 201 b for both transmitting and receivingdata. Processing unit 301 may select tunnel 201 b for belonging to boththe first tunnel group and the second tunnel group because tunnel 201 bhas very good performance, such as high throughput, low packet droprate, low latency, low usage price, or good performance based on otherperformance criteria.

When processing unit 301 of node 101 or processing unit 401 of node 102determines that a tunnel leaves or joins a tunnel group, new tunnelmanagement messages are sent by the processing unit to inform the otherprocessing unit that the tunnel should be used or not and how to use thetunnel.

In one variant, when tunnel management messages indicate that the firsttunnel group is only used by node 101 to transmit data to node 102, thefirst tunnel group is not allowed to be used for receiving data fromnode 101 to node 102 even if a corresponding condition has been met.Similarly when the tunnel management message indicates that the secondtunnel group is only used by node 101 to receive data from node 102, thesecond tunnel group is not allowed to be used for transmitting data tonode 102 even if a corresponding condition has been met. Alternatively,new tunnel management messages are sent by node 101 or node 102 toupdate that the first tunnel group and/or the second tunnel group can beused for bidirectional communications. Alternatively, new tunnelmanagement messages are sent by node 101 or node 102 to update that thefirst tunnel group and/or the second tunnel group are no longer used forbidirectional communications and can only used for transmitting datafrom node 101 and/or receiving data by node 101 respectively.

The use of new tunnel management messages allow the flexibility tochange how the first tunnel group and the second tunnel group is usedfor transmitting and receiving data after the tunnel have beenestablished. In one variant, the new tunnel management messages are usedto manage one or more specific tunnel, instead of a tunnel group. Thisallows more granular management of tunnel.

In one variant, there is no need to transmit tunnel management messagewhen the first tunnel group has already been used to transmit data fromnode 102 to node 101. This is because of the fact that when data hasarrived from the first tunnel group to node 101, node 101 is able todetermine that node 102 has determined to use the first tunnel group totransmit data without the assistance of tunnel management message.Similarly, there is no need to transmit tunnel management message whenthe second tunnel group has already been used to transmit data from node101 to node 102.

In one variant, in the case that node 101 is no longer able to ordetermines not to receive data through the second tunnel group or one ofthe tunnels of the second tunnel group, such as in the situation ofbeing out of coverage, node 101 will inform node 102, by using tunnelmanagement message, not to further transmit data through the secondtunnel group or the one of the tunnels of the second tunnel group.Similarly, in the case that node 102 is no longer able to or determinesnot to receive data through the first tunnel group or one of the tunnelsof the first tunnel group, such as in the situation of heavy packetloss, node 102 will inform node 101, by using tunnel management message,not to further transmit data through the first tunnel group or the oneof the tunnels of the first tunnel group.

WAN Interface Selection

FIG. 6A and FIG. 6B are two flowcharts illustrating one of theembodiments of the present invention that node 101 transmits andreceives data packets to and from node 102 respectively.

Referring to FIG. 1, node 101 first selects a first one or more WANinterfaces of node 101, such as WAN interface 121 a, 121 b, 121 c and121 d, at step 601. When node 101 receives a data packet from a host ornode that connects to one of its LAN interfaces 122 a and 122 b at step602, it encapsulates the data packet into one or more encapsulatingpackets at step 603. Those who are skilled in the art would appreciatethat the step of encapsulating a data packet allows the data packet besent through a tunnel. In one variant, step 601 and step 602 can beswapped such that the selection of WAN interface is performed after adata packet has been received. The first one or more WAN interfaces ofnode 101 selected are mainly used for transmitting data packets fromnode 101 to node 102. In one variant, node 102 does not transmit datapackets to node 101 through the first one or more WAN interfaces of node101. In one variant, node 102 transmits a small number of packets tonode 101 through the first one or more WAN interfaces of node 101, andthe packets are used for managing purpose, such as status information ofthe connections connected to the first one or more WAN interfaces.

Then, at step 604, node 101 transmits the one or more encapsulatingpackets through the first one or more WAN interfaces selected at step601. The first one or more WAN interfaces may connect to a wired orwireless network.

Node 101 also selects a second one or more WAN interfaces mainly forreceiving data packets from node 102. The data packets from node 102 maybe encapsulating packets. In one variant, node 102 only transmits datapackets to node 101 through the second one or more WAN interfaces ofnode 101, such that node 101 only receives data packets from node 102through the second one or more WAN interfaces of node 101. In onevariant, node 102 transmits a small number of packets to node 101through WAN interface(s) of node 101 that do(does) not belong to thesecond one or more WAN interfaces of node 101; the packets are used formanaging purpose, such as transmitting health check packets, statusinformation of the connections connected to the one or more WANinterfaces. Such that, node 101 only receives the small number ofpackets from node 102 through the WAN interfaces of node 101 notbelonging to the second one or more WAN interfaces of node 101.

In one variant, node 101 sends node 102 information of the second one ormore WAN interfaces by using a WAN interface management message. In suchcase, the information includes the identities of WAN interface(s) ofnode 101 that is(are) preferred for node 102 for transmitting datapackets to node 101. Therefore node 102 can set the destination addressof the encapsulating packet to be the address of the preferred WANinterface(s) of node 101. In one variant, the information is used as aninstruction for node 102. In one variant, node 102 also determines byitself which WAN interface(s) of node 101 should be used to receive datapackets from node 102 to node 101.

The usage of WAN interface management message includes: informing node102 how to use a WAN interface of node 101, informing node 102 when totransmit data packets through a particular WAN interface of node 101. Inone variant, node 101 receives WAN interface management messages fromnode 102 for managing one or more WAN interfaces. Therefore, the usageof WAN interface management message also includes: informing node 101how to use a WAN interface, informing node 101 when to transmit datapackets through a particular WAN interface.

As shown in FIG. 6B, when node 101 receives an encapsulating packet fromnode 102 through one of WAN interfaces 121 a, 121 b, 121 c and 121 d atstep 611, node 101 decapsulates the encapsulating packet to retrieve adata packet at step 612. Then node 101 transmits the data packet to ahost or node through one of its LAN interfaces 122 a and 122 b accordingto the destination address of the data packet at step 613.

It is preferred that node 101 selects the first one or more WANinterface that connects to a network with network latency less than 150milliseconds at step 601. This allows the encapsulating packets to reachnode 102 quickly. Therefore, it is preferred not to choose a WANinterface that connects to a satellite network because the satelliteround trip time is usually more than 150 milliseconds.

In one variant, the encapsulation and decapsulation performed by node101 at step 603 and step 612 respectively particularly allows data to betransmitted to and received from node 102 through one or more tunnels.The one or more tunnels can be established via a pair of WAN interfaces,such as WAN interface 121 b and WAN interface 131 b.

In one preferred embodiment, node 102 transmits encapsulating packets tonode 101 through a satellite network, for example through tunnel 201 a.Although the satellite round trip time may be larger than the round triptime of other networks, the bandwidth offered by a satellite networkcould be larger than that of other networks. Further, it may be moreeconomical for the administrator of node 102 to transmit data packets,and/or encapsulating packets to node 101 through a satellite network.

In one variant, processing unit 401 of node 102 determines which WANinterface of node 101 is used to transmit the encapsulating packets fromnode 101 to node 102. For example, node 102 may select WAN interface 121b of node 101. When node 102 has made the WAN interface selectiondecision, it sends a WAN interface management message to node 101 aboutthe decision. Without the WAN interface management message, node 101will not be able to recognize the need to use WAN interface 121 b totransmit encapsulating packets to node 102.

According to one of the embodiments of the present invention, the WANinterface selection decision at step 601 and the WAN interface selectiondecision for node 102 to determine which WAN interface for transmittingand receiving encapsulating packets can be determined according to:network performance of network connecting to WAN interfaces, conditions,network coverage, geographical location, network usage price, etc.

FIG. 6C is a flowchart illustrating various embodiments according to thepresent invention. Node 101 transmits data packets to and receives datapackets from node 102 respectively. Node 101 and node 102 togetherperform as a proxy/gateway for the host or node that connects to one ofthe LAN interfaces 122 a and 122 b of node 101. Those who are skilled inthe arts would appreciate the techniques of updating source address,updating destination address, and restoring the original destinationaddress are described below, in general, deployed by proxies orgateways.

Similar to the flowchart illustrated in FIG. 6A, node 101 first selectsone or more WAN interfaces, such as WAN interface 121 a, 121 b, 121 cand 121 d, at step 631. When node 101 receives a data packet from a hostor node that connects to one of its LAN interfaces 122 a and 122 b atstep 632, node 101 modifies the destination address of the data packetreceived to be the address of one of WAN interfaces of node 102 at step633. The original destination address of the data packet is recorded andis sent to node 102 before the data packet is transmitted. The originaldestination address is used for node 102 to restore the destinationaddress.

Then node 101 transmits the data packet with the modified destinationaddress through the one or more WAN interfaces selected at step 634.When node 102 receives the packet, node 102 restores the destinationaddress to the original destination address and modifies the sourceaddress of the data packet to be the address of one of the WANinterfaces of node 102, and then transmits the data packet to theoriginal destination address. The purpose of restoring the originaldestination address is to allow the data packet be transmitted to theoriginal destination address. The purpose of updating the source addressof the data packet to be the address of one of the WAN interfaces ofnode 102 is to allow the host or node of the original destinationaddress be able to respond to the transmitted data packet using theaddress of one of the WAN interfaces of node 102, instead of using oneof the WAN interfaces of node 101. When node 102 receives the response,it forwards the response to one of the WAN interfaces of node 101 bymodifying the destination address of the IP packets holding the responseto the address of the WAN interface of node 101. When node 101 receivesthe IP packets holding the response, node 101 modifies the sourceaddress of the IP packets to the address of the original destinationaddress.

In one variant, the WAN interface of node 101 selected by node 101 fortransmitting the data packets to node 102 and the WAN interface of node101 selected by node 102 for receiving data packets from node 102 can bethe same or different. For example, at step 601 node 101 selects WANinterface 121 b to transmit encapsulating packets and node 102 selectsWAN interface 121 a to receive encapsulated response to the data packetsencapsulated in the encapsulating packets. Similarly, for example, atstep 631, node 101 selects WAN interface 121 c to transmit data packetsand node 102 selects WAN interface 131 c to transmit response to thedata packets to node 101.

FIG. 7 illustrates a network configuration according to variousembodiments of the present invention.

Node 702 can perform as a gateway, VPN gateway, or proxy for node 101such that, for example, node 101, host 103 b, hosts and nodes ininterconnected networks 117 and host 103 a can transmit and receive datapackets through node 702.

According to one of the embodiments of the present invention, node 101is configured to use a first one or more WAN interface to send packetsto node 702 and a second one or more WAN interface to receive packetsfrom node 702. For example, node 101 uses WAN interfaces 121 b and 121 cto send data packets to node 702 and uses WAN interface 121 a receivedata packets from node 702. Node 101 can be configured by anadministrator or a network operator, such as the operator of satellitenetwork 150 and the operator of wireless network 180. In one example, asnode 101 is already configured which WAN interface(s) is (are) used,there is no need to perform step 601 as there is no WAN interfaceselection being performed.

FIG. 8 illustrates the communication steps of an example that node 702performs as a gateway for host 103 b to communicate with a host ininterconnected networks 171.

FIG. 9 illustrates the structure of IP packet being transmitted at eachcommunication step of FIG. 8. When host 103 b transmits IP packet 901 toa host in interconnected network 171, host 103 b first transmits IPpacket 901 to node 101 at step 801. IP packet 901 could be for servicerequest, data transfer or any other purposes. The structure of IP packet901 is illustrated in FIG. 9. In IP packet 901, the payload field isused to hold data. The header section has a destination address fieldand a source address field. The destination address field is the IPaddress of the host in interconnected networks 171. The source addressfield is the IP address of host 103 b.

After node 101 has received IP packet 901 at communication step 801,node 101 encapsulates IP packet 901 in IP packet 902. As node 101 has aplurality of WAN interfaces, node 101 can choose any of the WANinterfaces to transmit IP packet 902. Alternatively, node 101 can selecta WAN interface that has been determined or configured before the IPpacket 901 has arrived. For example, node 101 selects a WAN interfacebased on: a configuration entered by an administrator of node 101;latency of the connection that a WAN interface connected to; a conditionentered by an administrator of node 101; and instructions received froma remote server or node.

For illustration purpose, node 101 selects WAN interface 121 b, thentransmits IP packet 902 to wireless network 180 through a wireless modemconnecting to WAN interface 121 b at communication step 802. The payloadfield of IP packet 902 stores IP packet 901. The header section of IPpacket 902 has a destination address field and a source address field.The destination address field of IP packet 902 is the IP address of WANinterface 703 of node 702. The source address field of IP packet 902 isIP address of WAN interface 121 b of node 101.

As WAN interface 703 is reachable through router 704, wireless network180 routes IP packet 902 to router 704 at communication step 803.Wireless network 180 may connect to router 704 through privateinterconnected networks or public interconnected networks. For example,if node 702 and wireless network 180 are operated by the sameadministrator, wireless network 180 can route IP packet 902 through adirect connection to router 704. On the other hand, if node 702 andwireless network 180 are not operated by the same administrator, ingeneral, IP packet 902 will be routed to router 704 through publicinterconnected networks.

When router 704 receives IP packet 902, it routes IP packet 902 to WANinterface 703 at communication step 804. In one variant, router 704performs as a gateway or a proxy with network address translation (NAT)capability and the destination address of IP packet 902 is then updatedaccordingly.

When node 702 receives IP packet 902, it decapsulates IP packet 902 toretrieve IP packet 901. After examining the destination address of IPpacket 901, node 702 performs network address translation (NAT) on thesource address of IP packet 901. The modified IP packet 901 is IP packet903. Therefore IP packet 903 is based on IP packet 901. The sourceaddress of IP packet 903 is the IP address of WAN interface 703.Therefore if the host in interconnected network 171 replies, WANinterface 703 can receive the reply. The destination address of IPpacket 903 is the same as the destination address of IP packet 901,which is the IP address of the host in interconnected networks 171 thathost 103 b tries to send IP packet 901 to. Node 702 then transmits IPpacket 903 to router 704 at communication step 805.

When router 704 receives IP packet 903, it routes IP packet 903 to thehost in interconnected networks 171 at communication step 806. In onevariant, router 704 performs as a gateway or a proxy with NAT capabilityand the source address of IP packet 903 is then updated accordingly.

When the host in interconnected networks 171 receives IP packet 903, thehost may or may not reply. If the host replies, it should reply with atleast one IP packet, for example IP packet 904, at communication step807. The destination address and source address of IP packet 904 is theIP address of WAN interface 703 and the IP address of the host ininterconnected networks 171 respectively.

When router 704 receives IP packet 904, it routes IP packet 904 to node702 at communication step 808. In one variant, router 704 performs as agateway or a proxy with NAT capability and the destination address of IPpacket 904 is then updated accordingly.

When node 702 receives IP packet 904, it performs NAT on IP packet 904.Such that IP packet 904 has been modified and the destination address ofthe modified IP packet 904 becomes the IP address of host 103 b. Thennode 702 encapsulates modified IP packet 904 in IP packet 905 and thentransmits IP packet 905 to router 704 at communication step 809. Thepayload field of IP packet 905 stores modified IP packet 904. ThereforeIP packet 905 is based on IP packet 904. The header section of IP packet905 has a destination address field and a source address field. Thedestination address field of IP packet 905 is the IP address of one ofWAN interfaces of node 101. For illustration purpose, node 702 selectsWAN interface 121 a. Therefore, the destination address field IP packet905 is IP address of WAN interface 121 a. The source address field of IPpacket 905 is IP address of WAN interface 703.

As there can be more than one connections connecting to the plurality ofWAN interfaces of node 101, node 702 can select one of the WANinterfaces of node 101 for transmitting IP packet 905 to node 101.Alternatively, node 702 can select a WAN interface that has beendetermined or configured before the IP packet 904 has arrived. Forexample, node 702 selects a WAN interface of node 101 based on: aconfiguration entered by an administrator of node 702; latency of theconnection that a WAN interface connects to; a condition entered by anadministrator of node 702; and instructions received from a remoteserver or node.

When router 704 receives IP packet 905, it routes IP packet 905 tosatellite network 150 through satellite modem 160 at communication step810. In one variant, router 704 performs as a gateway or a proxy withNAT capability and the destination address of IP packet 905 is thenupdated accordingly. In communication step 811, satellite modem 160transmits IP packet 905 to satellite network 150, which then transmitsIP packet 905 to satellite modem 161. Satellite modem 161 forwards IPpacket 905 to node 101 in communication step 812 through connectionmedium 113.

When node 101 receives IP packet 905, it decapsulates IP packet 905 toretrieve modified IP packet 904, which is the same as IP packet 906 andthen transmits IP packet 906 to host 103 b according to the destinationaddress in the header of IP packet 906 in communication step 813.

The communication steps shown in FIG. 8 illustrates that different WANinterfaces of node 101 are used for transmitting and receiving IPpackets, even if the IP packets belong to the same session.

Those who are skilled in the arts would appreciate that when router 704performs NAT, router 704 may need to use a state database to record thetranslation and the state database is in general stored in a storageunit of router 704.

In one variant, when node 702 receives IP packet 904 after step 808, itdoes not performs NAT on IP packet 904. Therefore IP packet 904 is notmodified and IP packet 905 encapsulates IP packet 904, instead ofmodified IP packet 904. The destination of address of IP packet 904 ischanged by node 101 to IP packet 906 after step 812. This allows NATbeing performed by node 101, instead of by node 702. This may reduce thecomputing resources requirement of node 702.

According to one of the embodiments of the present invention, node 101sends a WAN interface management message to inform node 702 which WANinterface of node 101 should node 702 transmit IP packets to. WANinterface management message comprises a WAN interface identity fieldand an instruction field. For example, for illustration purpose only,WAN interfaces 121 a and 121 d can be used by node 101 to receive IPpackets from node 702 while WAN interfaces 121 b and 121 c cannot beused by node 101 to receive IP packets from node 702. The WAN interfacemanagement message comprises the identities of WAN interfaces 121 a and121 d in the WAN interface identity field and the instruction field,which holds the information that WAN interfaces 121 a and 121 d can beused by node 101 to receive IP packets from node 702 while WANinterfaces 121 b and 121 c cannot be used by node 101 to receive IPpackets from node 702. The WAN interface management messages may be sentanytime before IP packet 905 is transmitted by node 702 in step 809. Inanother example, identity(identities) of WAN interface(s) of node 101that is(are) used for node 101 to transmit IP packets to node 702is(are) stored in the WAN interface field and the instruction that this(these) WAN interface(s) is(are) used for transmission only is stored inthe instruction field.

In one variant, a WAN interface management message comprises anindicator in the instruction field to indicate whether a WAN is for bothtransmission and receiving, transmission only or receiving only. Forexample, for illustration purpose, The indicator can represented by abit, a plurality of bits, a byte, a plurality of bytes, a string, aplurality of strings, XML messages, etc. Those who are skilled in thearts would appreciate that there are myriads ways to represent theindicator.

In one variant, WAN interface management messages is determined andtransmitted by one of node 101 or node 702. Therefore, the decision ofwhich WAN interface of node 101 to use for transmitting and/or receivingIP packets is determined by node 101 or node 702. For example, anadministrator of node 101 can determine which WAN interface(s) of node101 and node 702 is(are) used for transmitting and/or receiving IPpackets. Therefore, a WAN interface can be set as unidirectionaltransmission, unidirectional receiving or bidirectional.

In one variant, a WAN interface management message comprises statusinformation of a WAN interface. The status information can be part ofinformation stored in the instruction field. In one variant, the statusis stored in a status field of WAN interface management message. Forexample, when node 101 updates node 102 about the status of a WANinterface, node 101 sends a WAN interface management message with theWAN interface status in the status field to node 102. The WAN interfaceidentity field holds the identity of the corresponding WAN interface.The instruction field in this case may be empty as the WAN interfacemanagement message is for status reporting purpose.

According to one of the embodiments of the present invention, one ormore tunnels are established between two WAN interfaces of two nodes andwhen a WAN interface is selected for transmission and receiving,transmission only or receiving only, the corresponding one or moretunnels that are established through the selected WAN interface will beaffected by WAN interface management message. For example, when WANinterface 121 a can only be used for receiving IP packets from node 702and cannot be used for transmitting IP packets to node 702, the one ormore tunnels that established through WAN interface 121 a to WANinterface 705 can also only be used for receiving IP packets from node702 and cannot be used for transmitting IP packets to node 702.

According to one of the embodiments of the present invention, anadministrator of a node determines WAN interface pair stating a WANinterface of the node and a WAN interface of another node, such that theWAN interfaces stated in the WAN interface pair are used fortransmitting and receiving, transmitting only or receiving only IPpacket between the two nodes. For example, the administrator determinesa WAN interface pair, WAN interface 121 a and WAN interface 703, whichis used for receiving IP packets from WAN interface 703 only. In anotherexample, the administrator determines that a WAN interface pair, WANinterface 121 d and WAN interface 703, is bidirectional, such that WANinterface 121 and WAN interface 703 can be used for transmitting andreceiving IP packets to and from each other.

According to one of the embodiments, a node, such as node 102,intermediates access by a host, such as host 103 a or 103 b, tointerconnected networks 172. In one example, node 102 terminatesincoming access requests and connections at the application layer of theOpen System Interconnection (OSI) reference model or of the TCP/IPmodel. In this example, node 102 operates as an application-layer proxyto protect resources in interconnected networks 172 from direct exposureto hosts connected to node 101. Node 102 receives incoming accessrequests encapsulated in a packet, decapsulates the access requests toreach the underlying application data, and sends the application datacomprising the access requests to interconnected networks 172.

In another example, node 102 allows direct connections between layers ofthe OSI reference model or of the TCP/IP model. In this example, node102 exchanges data using a secure channel negotiated with the requestinghost, such as host 103 a or 103 b. Node 102 receives a secure requestvia the one of tunnels 201 a, 201 b, 201 c or 201 d, and makes requeststo interconnected networks 172 on behalf of the requesting host, i.e.host 103 a or 103 b, to establish a data connection between therequesting host and interconnected networks 172.

FIG. 10 illustrates a webpage used to configure node 101. Webpage 1001can be shown at a display of a laptop computer, desktop computer,handheld computing device, mobile phone or any device capable ofdisplaying webpage 1001. Webpage 1001 has two parts: VPN Profile 1011and WAN Connection Priority 1012. An administrator can enter theinformation required to setup a VPN using VPN Profile 1011 and configurepriority, transmission and receiving of data of WAN interfaces in WANConnection Priority 1012. The information is used to create one or moretunnels belonging to the VPN. For example, the information is used tocreate multiple tunnels and the multiple tunnels are aggregated to formone aggregated tunnel for the VPN. Those who are skilled in the artwould appreciate that the information required includes securityinformation, identity information and encryption information. In onevariant, the information required is retrieved from a remote managementserver, a secured device coupled to node 101 or a preconfigureddatabase. This releases the administrator the burden to enter requiredinformation manually through the web page.

WAN Connection Priority 1012 has three main sections: WAN interfaceidentity 1021, priority selection 1022 and direction selections 1031 to1033. As node 101 has four WAN interfaces, WAN interface identity 1021has four WAN interfaces shown. For example, “WAN 1”, “WAN 2”, “WAN 3”and “WAN 4” in WAN interface identity 1021 corresponds to WAN interfaces121 a, 121 b, 121 c and 121 d respectively. Priority selection 1022 isused to configure priority to WAN interfaces. For example, the priorityof “WAN 1” is configured to be “OFF” that processing unit 301 will notuse WAN interface 121 a to transmit or receive data traffic. As thepriority of “WAN 2”, “WAN 3”, “WAN 4” are configured to be “highest”,processing unit 301 uses WAN interfaces 121 b, 121 c and 121 d with thesame priority. Direction selection 1031 is configured to be “Up Only”,such that processing unit 301 only uses WAN interface 121 b to transmitdata. Direction selection 1032 is configured to be “Down Only”, suchthat processing unit 301 only uses WAN interface 121 c to receive data.Direction selection 1033 is configured to be “Up/Down Only”, such thatprocessing unit 301 uses WAN interface 121 d to both transmit andreceive data.

In one variant, the information used to configure WAN ConnectionPriority 1012 is retrieved from a remote management server, a secureddevice coupled to node 101 or a preconfigured database. This releasesthe administrator the burden to enter required information manuallythrough the web page.

The web page for configuring node 102 is similar and the number of WANinterfaces in WAN interface identity 1021 will be three as node 102 hasthree WAN interfaces.

FIG. 11 illustrates a webpage used to configure node 101. The design ofwebpage 1101 is similar to the design of webpage 1001. Webpage 1101 hastwo parts: VPN Profile 1111 and Tunnel Priority 1112. An administratorcan enter the information required to setup a VPN using VPN Profile 1111and configure priority, transmission and receiving of data of tunnels inTunnel Priority 1112. VPN Profile 1111 can be identical to VPN Profile1011 if the information required to setup VPN is the same.

Tunnel Priority 1112 has three main sections: tunnel identity 1121,priority selection 1122 and direction selections 1131 to 1133. As node101 has established four tunnels with node 102, tunnel identity 1121 hasfour tunnels shown. For example, “Tunnel A”, “Tunnel B”, “Tunnel C” and“Tunnel D” in tunnel identity 1121 corresponds to tunnels 201 a, 201 b,201 c and 201 d respectively. Priority selection 1122 is used toconfigure priority to tunnel. For example, the priority of “Tunnel A” isconfigured to be “OFF” that node 101 will not use tunnel 201 a totransmit or receive data traffic. As the priority of “Tunnel B”, “TunnelC”, “Tunnel D” are configured to be “highest”, processing unit 301 usestunnels 201 b, 201 c and 201 d with the same priority. Directionselection 1131 is configured to be “Up Only”, such that node 101 onlyuses tunnel 201 b to transmit data. Direction selection 1132 isconfigured to be “Down Only”, such that node 101 only uses tunnel 201 cto receive data. Direction selection 1133 is configured to be “Up/DownOnly”, such that node 101 uses tunnel 201 d to transmit and receivedata.

In one variant, the information used to configure Tunnel Priority 1112is retrieved from a remote management server, a secured device coupledto node 101 or a preconfigured database. This releases the administratorthe burden to enter required information manually through the web page.

The web page for configuring node 102 is similar and the number tunnelsin tunnel identity 1121 will be the same as the number of tunnelsestablished between node 101 and 102 are also four.

In one variant, instead of shown tunnel identities in tunnel identity1121, WAN interfaces of node 101 and node 102 are shown in tunnelidentity 1121. As a tunnel can be established between one or more WANinterfaces of node 101 and one or more WAN interfaces of node 102, atunnel identity can be replaced with the WAN interfaces used forestablishing the tunnel.

The foregoing description of preferred embodiments of the presentinvention provides illustration and description, but is not intended tobe exhaustive or to limit the invention to the precise form disclosed.Modifications and variations are possible in light of the aboveteachings or may be acquired from the practice of the invention.

1. A method for a first node disposed in a network environment,comprising: a. sending data to a second node through a first tunnelgroup; wherein the first tunnel group comprises at least two tunnels; b.receiving data from the second node through a second tunnel group;wherein the second tunnel group comprises at least two tunnels; c.receiving a configuration; wherein the configuration is for assigningtunnel priority for each tunnel of the first tunnel group and the secondtunnel group; wherein the at least two tunnels in the first tunnel groupand the at least two tunnels in the second tunnel group are formed usingat least two network interfaces of the first node and at least onenetwork interface of the second node.
 2. The method of claim 1, whereinthe at least two tunnels of the first tunnel group comprises at leastone tunnel established through a satellite modem.
 3. The method of claim1, wherein the at least two tunnels of the second tunnel group comprisesat least one tunnel established through a cellular modem.
 4. The methodof claim 1, further comprising aggregating at least one of the at leasttwo tunnels in the first tunnel group and at least one tunnel of the atleast two tunnels in the second tunnel group are aggregated together toform one aggregated tunnel.
 5. The method of claim 1, wherein theconfiguration is received from a user.
 6. The method of claim 5, furthercomprising providing a webpage to the user to enter the configuration.7. The method of claim 1, further comprising when performance of atunnel of the at least two tunnels of the first tunnel group becomesunsatisfactory, the tunnel is not used for sending data to the secondnode; when performance of a tunnel of the at least two tunnels of thesecond tunnel group becomes unsatisfactory, the tunnel is not used forreceiving data from the second node.
 8. The method of claim 1, whereinthe data sent in step (a) and the data received in step (b) areencapsulated in IP packets.
 9. The method of claim 1, furthercomprising: when a first condition is met, tunnels in the second tunnelgroup are also used for sending data in step (a).
 10. The method ofclaim 1, further comprising: when a second condition is met, tunnels inthe first tunnel group are also used for receiving data in step (b). 11.A first node disposed in a network environment comprising: a pluralityof network interfaces; at least one processing unit; at least one mainmemory; at least one secondary storage storing program instructionsexecutable by the at least one processing unit for: a. sending data to asecond node through a first tunnel group; wherein the first tunnel groupcomprises at least two tunnels; b. receiving data from the second nodethrough a second tunnel group; wherein the second tunnel group comprisesat least two tunnels; c. receiving a configuration; wherein theconfiguration is for assigning tunnel priority for each tunnel of thefirst tunnel group and the second tunnel group; wherein the at least twotunnels in the first tunnel group and the at least two tunnels in thesecond tunnel group are formed using at least two network interfaces ofthe first node and at least one network interface of the second node.12. The first node according to claim 11, wherein the at least twotunnels of the first tunnel group comprises at least one tunnelestablished through a satellite modem.
 13. The first node according toclaim 11, wherein the at least two tunnels of the second tunnel groupcomprises at least one tunnel established through a cellular modem. 14.The first node according to claim 11, further comprising aggregating atleast one of the at least two tunnels in the first tunnel group and atleast one tunnel of the at least two tunnels in the second tunnel groupare aggregated together to form one aggregated tunnel.
 15. The firstnode according to claim 11, wherein the configuration is received from auser.
 16. The first node according to claim 15, wherein the at least onesecondary storage further stores program instructions executable by theat least one processing unit for providing a webpage to the user toenter the configuration.
 17. The first node according to claim 11,wherein the at least one secondary storage further stores programinstructions executable by the at least one processing unit for: notusing a tunnel of the at least two tunnels of the first tunnel group forsending data to the second node when performance of the tunnel becomesunsatisfactory; not using a tunnel of the at least two tunnels of thesecond tunnel group for receiving data from the second node whenperformance of the tunnel becomes unsatisfactory.
 18. The first nodeaccording to claim 11, wherein the data sent in step (a) and the datareceived in step (b) are encapsulated in IP packets.
 19. The first nodeaccording to claim 11, wherein the at least one secondary storagefurther stores program instructions executable by the at least oneprocessing unit for also using the tunnels in the second tunnel groupfor sending data in step (a).
 20. The first node according to claim 11,wherein the at least one secondary storage further stores programinstructions executable by the at least one processing unit for alsousing the tunnels in the first tunnel group for receiving data in thestep (b).